Risk

8/26/2010
02:27 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Mariposa Botnet Operators Didn't Bite In 'Cookie-Stuffing' Offer

Ecommerce fraud technique steals commission, referral fees from website affiliates

The Slovenian man recently arrested for allegedly writing the malware used to build the now-infamous Mariposa botnet also sold an additional feature for his bot software, a form of cookie fraud known as "cookie-stuffing."

According to the researcher who helped take down Mariposa, the Spanish operators who purchased the bot software from the Slovenian man known as "Iserdo" and then built Mariposa, for some reason didn't opt for the feature, which he offered for 200 euros, even though it would have increased their potential profits. "That was one module they didn't buy," says Luis Carrons, technical director of PandaLabs, which teamed up with the FBI, Defence Intelligence, and Georgia Tech to derail the botnet in December of last year. "The most likely explanation is that they didn't even know what it was about. Otherwise, they could have multiplied the profit they were doing."

Mariposa, a massive global botnet that infected close to 13 million machines in more than 190 countries, harvested banking credentials, credit card information, account information from social networking sites and online email services, and other usernames and passwords.

Cookie-stuffing would have added another revenue stream for the Mariposa operators. This often-overlooked but lucrative form of crime is where a fraudster sticks his own cookies atop legitimate cookies planted for affiliate marketing purposes. Websites with affiliate programs pay commission to those affiliates, such as reward sites, for bringing in customers who ultimately conduct transactions on the site.

But a cookie-stuffing attack ensures that fraudster gets the commission, not the affiliate. So if a customer who visited an affiliate site infected with cookie-stuffing purchases an antivirus package from an AV vendor, his compromised purchase cookie would instead credit the bad guy and force the website to pay the bad guy the commission rather than the legitimate affiliate. "The final user [customer] doesn't notice it, as he is not charged more money for his online purchases. The real affiliates will think that the user has not bought any items, and that's why they're not getting their commission. And some sellers will be even be really happy thinking that they have a very active affiliate," explains Carrons.

Websites rigged with cookie-stuffing often don't even know it. Carrons says cookie-stuffing may be responsible for stealing millions of dollars on a daily basis. "The truth is that nobody is able to calculate the amount of money that is being stolen using this technique, mainly because [sites often don't] realize that the robbery is taking place. But for sure it is in the millions at least," Carrons says.

An executive from a Spanish airline recently told Carrons that his company had discovered that it was actually paying hundreds of thousands of euros per month to a Turkish man located in Germany. "They were sure he was practicing cookie-stuffing, but they couldn't prove it," Carrons says.

Cookie-stuffing attacks have been used for years, he says. "I've been tracking this for more than a year now, but unfortunately it is not that easy to find out a way to measure this fraud. The good news is that the affiliate networks are already aware of this problem, and most of them have their license agreements, and the final sellers can also realize of this and cancel the commissions. The greedier the criminals are, the easier the seller will notice," he says. "However, if the criminal is smart enough they can be doing this for years without anyone noticing it, and 'earning' thousands each month."

eBay has been aggressively going after cookie-stuffers, and a Las Vegas man was arrested in February for allegedly running a cookie-stuffing operation where he sold a cookie-stuffing tool that let fraudsters siphon advertising referrals or commissions out of eBay, according to a published report in Wired. eBay was duped into paying these referrals "despite the fact that no eBay advertisement or link on the affiliate website or webpage had actually been clicked," according to the charges.

Kyle Adams, chief architect at Mykonos, says it makes sense that the Mariposa operators didn't include cookie-stuffing because it would be too conspicuous to execute this type of web fraud via a botnet. "You don't need to compromise a machine to be doing it. It can be launched by posting a comment," Adams says. "For a bot, it would be overkill. There are easier ways to do it, and a botnet would be visible."

Adams says maybe the bot software creator for Mariposa just offered the feature to see if it would fly. "He might have been throwing it in to see if people pick it up," he says.

Al Huizenga, director of product management at Mykonos, says it's the websites who join big affiliate programs for the Amazons and eBays, for instance, that are getting hurt. "They're not going to get paid out. It's not their fault ... they've been exploited. But it pollutes all the downstream transactions as a result of that behavior," he says. "But the eBays who get the final traffic continue to do quite well."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Tips for the Aftermath of a Cyberattack
Kelly Sheridan, Staff Editor, Dark Reading,  4/17/2019
Why We Need a 'Cleaner Internet'
Darren Anstee, Chief Technology Officer at Arbor Networks,  4/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11486
PUBLISHED: 2019-04-23
The Siemens R3964 line discipline driver in drivers/tty/n_r3964.c in the Linux kernel before 5.0.8 has multiple race conditions.
CVE-2019-11487
PUBLISHED: 2019-04-23
The Linux kernel before 5.1-rc5 allows page->_refcount reference count overflow, with resultant use-after-free issues, if about 140 GiB of RAM exists. This is related to fs/fuse/dev.c, fs/pipe.c, fs/splice.c, include/linux/mm.h, include/linux/pipe_fs_i.h, kernel/trace/trace.c, mm/gup.c, and mm/hu...
CVE-2018-7576
PUBLISHED: 2019-04-23
Google TensorFlow 1.6.x and earlier is affected by: Null Pointer Dereference. The type of exploitation is: context-dependent.
CVE-2018-8825
PUBLISHED: 2019-04-23
Google TensorFlow 1.7 and below is affected by: Buffer Overflow. The impact is: execute arbitrary code (local).
CVE-2019-10688
PUBLISHED: 2019-04-23
VVX products using UCS software version 5.8.0 and earlier with Better Together over Ethernet Connector (BToE) application version 3.8.0 and earlier uses hard-coded credentials to establish a connection between the host application and device.